Cisco ASA 5506-X Configuration Manual page 134
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Defaults for Application Inspection
•
•
Defaults for Application Inspection
The following topics explain the default operations for application inspection.
•
•
Default Inspections and NAT Limitations
By default, the configuration includes a policy that matches all default application inspection traffic and
applies inspection to the traffic on all interfaces (a global policy). Default application inspection traffic
includes traffic to the default ports for each protocol. You can only apply one global policy, so if you
want to alter the global policy, for example, to apply inspection to non-standard ports, or to add
inspections that are not enabled by default, you need to either edit the default policy or disable it and
apply a new one.
The following table lists all inspections supported, the default ports used in the default class map, and
the inspection engines that are on by default, shown in bold. This table also notes any NAT limitations.
In this table:
•
•
Table 6-1
Supported Application Inspection Engines
Application
Default Port NAT Limitations
CTIQBE
TCP/2748
DCERPC
TCP/135
DNS over UDP
UDP/53
FTP
TCP/21
GTP
UDP/3386
UDP/2123
Cisco ASA Series Firewall CLI Configuration Guide
6-6
Inspected protocols are subject to advanced TCP-state tracking, and the TCP state of these
connections is not automatically replicated. While these connections are replicated to the standby
unit, there is a best-effort attempt to re-establish a TCP state.
TCP/UDP Traffic directed to the ASA (to an interface) is inspected by default. However, ICMP
traffic directed to an interface is never inspected, even if you enable ICMP inspection. Thus, a ping
(echo request) to an interface can fail under specific circumstances, such as when the echo request
comes from a source that the ASA can reach through a backup default route.
Default Inspections and NAT Limitations, page 6-6
Default Inspection Policy Maps, page 6-9
Inspection engines that are enabled by default for the default port are in bold.
The ASA is in compliance with the indicated standards, but it does not enforce compliance on
packets being inspected. For example, FTP commands are supposed to be in a particular order, but
the ASA does not enforce the order.
No extended PAT.
No NAT64.
(Clustering) No static PAT.
No NAT64.
No NAT support is available for
name resolution through
WINS.
(Clustering) No static PAT.
No extended PAT.
No NAT.
Chapter 6
Getting Started with Application Layer Protocol Inspection
Standards
Comments
—
—
—
—
RFC 1123
—
RFC 959
—
—
Requires a special license.
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
